Copying and mounting secret config files

[cosminonea]

I am using Kamal 2 to deploy a background job. The job needs to connect to a Google Cloud SQL instance. I am running the cloud proxy as an accessory service like below:

accessories:
  db:
    image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:latest
    cmd: "--credentials-file /.gcloud/sql-proxy-key.json [project-id]:europe-west3:instance-1 --address 0.0.0.0 --port 5432"
    host: [host-ip]
    port: "127.0.0.1:5432:5432"

This fails because the /.gcloud/sql-proxy-key.json doesn't exist in the container.

How would I copy that file (and other secret files) from my machine onto the host during setup or deploy? Does kamal do that or do I have to push the files onto the host outside kamal?

[morgoth]

@cosminonea You can use "files" config, something like:

accessories:
  db:
    files:
      - path-to-file-in-your-repo:/.gcloud/sql-proxy-key.json:ro

See https://kamal-deploy.org/docs/configuration/accessories/#copying-files

BTW, the better place for asking such questions is https://github.com/basecamp/kamal/discussions

[cosminonea]

Thanks @morgoth

I read the documentation but these are secret files though, they won't be in the repo. But I guess I can put them in the repo as a pre-deployment step in a Github Action, is this how one would do it?

[morgoth]

By default kamal builds image from the git commited files only, so you would need to change the build context to make it work this way. https://kamal-deploy.org/docs/configuration/builder-examples/#using-a-different-dockerfile-or-context-when-building

[cosminonea]

That is for building the image, which happens on the build machine not the host (where the docker containers will be running) as I understand it. And also, you wouldn't want the secret files to be bundled into the image.